Prior art FIG. 1 illustrates a method 100 by which network communications are established, in accordance with the prior art. Network communications (i.e. Internet communications, etc.) utilizing various protocols (TCP, etc.) often begin with an effort to establish a connection.
When a TCP connection attempt begins, a destination host receives a synchronize (SYN) packet from a source host, as indicated in operation 102. In response to receiving such SYN packet, a designated memory, typically of finite size, is allocated to track the establishment of the connection. Note operation 103.
Thereafter, in operation 104, the destination host sends back a SYN acknowledgement packet (SYN/ACK). The destination host must then wait for receipt of a handshake ACK before the connection is established, as set forth in decision 106. This is typically referred to as the “TCP three-way opening handshake.”
While waiting for the handshake ACK, the memory of finite size on the destination host keeps track of other connections waiting to be completed. This queue typically empties quickly since the handshake ACK is expected to arrive a few milliseconds after the SYN/ACK packet is transmitted.
Upon receipt of the handshake ACK, the connection is open and the associated portion of the finitely sized memory is used for tracking and maintaining the now open connection. Note operation 110. On the other hand, if the handshake ACK is not received within a predetermined timeout period (note decision 108), a test is made to determine if the maximum number of SYN/ACK retransmissions has occurred (note decision 112). If the maximum number of retransmissions has not yet occurred, the SYN/ACK packet is retransmitted. Note operation 114. If the maximum number of retransmissions has occurred, the process is ended and the memory is de-allocated. Note operation 116.
A denial-of-service (DoS) attack exploits this design by having an attacking source host generate TCP SYN packets with random source IP addresses and source ports toward a victim destination host. The victim destination host then sends a SYN/ACK packet back to the random source address (in accordance with operation 104 of the method 100 of FIG. 1) and adds an entry to the connection queue of the memory.
Since the SYN/ACK packet is destined for an incorrect or non-existent host, the last part of the “three-way opening handshake” is never completed, the memory remains allocated to the connection attempt, and the entry remains in the connection queue until the maximum number of retries has been transmitted and the timer expires, typically for about one minute. By generating phony TCP SYN packets from random addresses at a rapid rate, it is possible to fill up the connection queue of the memory and deny TCP services (such as e-mail, file transfer, WWW, etc.) to legitimate users.
There is no easy way to trace the originator of the attack because the IP address of the source is typically forged. There is thus a need for a more effective technique of managing network connection attempts in a manner that avoids the ramifications of network overload due to these and other factors.